Security Information Technology Specialist
FHWA is seeking a highly qualified and motivated Information Technology (IT) Specialist to serve as a Cybersecurity Compliance Analyst to implement and advise on the IT cybersecurity program for all FHWA offices and locations. Specifically, the candidate ensures that applicable IT cybersecurity policies are implemented for FHWA information systems/applications and maintain the operational security posture consistent with current security policy.
The Security Information Technology Specialist will:
- Coordinate, review, and evaluate the cybersecurity compliance of FHWA’s cybersecurity program by implementing cybersecurity in the system engineering process, including Risk Management Framework (RMF) task(s) in accordance with National Institute of Standards and Technology (NIST) Special Publication 800-37, cybersecurity assessments and other audit requests, Information System Continuous Monitoring (ISCM), contingency planning, incident handling, risk analysis and mitigation, IT security baseline compliance, and cybersecurity (Role-based and Awareness) training, complying interpreting and applying DOT policy, guidelines, and NIST standards. Identifies the need for changes based on new security technologies or threats.
- Evaluate and advise system owners, information owners, and the Information System Security Manager (ISSM) in recording all known security weaknesses in the Plans of Action and Milestones (POA&Ms) in accordance with DOT policy, guidelines, and procedures. This includes devising solutions and developing draft POA&Ms for observed control level deficiencies or gaps in control implementation(s) in accordance with DOT policy, guidelines, and procedures; and conducts quality assurance reviews of existing POA&Ms to ensure completeness, accuracy, and identified solutions are cost effective.
- Develop and collect information for effective performance measures and metrics by ensuring the Governance Risk and Compliance (GRC) tool accurately contains required information and supporting artifacts.
- Develop/update FIPS 199 Security Categorization documentation; ensure information types and special considerations (if applicable) are defined and documented; update System Security Plans (SSP), ensure discovered and identified system components and control implementation status are addressed.
- Implement and evaluate the information system contingency planning process in accordance with interpreting NIST SP 800-34 Revision 1; ensure contingency plan test exercise results are documented in an after-action report; lessons learned, and corrective actions are developed and updated in the Information Systems Contingency Plan (ISCP); and provide draft update contingency plans including Business Impact Analysis (BIA).
- Implement FHWA’s System Development Life Cycle (SDLC) by maintaining architecture diagrams, processes, and standard operation procedures, and ensure the integration and management of static code vulnerability detection.
The ideal candidate for this position is a cybersecurity specialist with extensive experience performing technical cybersecurity functions/duties for software applications/systems. He/she is highly analytical, possesses strong communications skills and has a proven track record of balancing business needs with security requirements. A comprehensive working knowledge of federal laws, Executive Orders, regulations, policies, and guidelines pertaining to IT security in the federal government is essential.